diff --git a/terraform/subscriptions/modules/userassignedidentity/main.tf b/terraform/subscriptions/modules/userassignedidentity/main.tf index 6be8b1c90..8ff93b514 100644 --- a/terraform/subscriptions/modules/userassignedidentity/main.tf +++ b/terraform/subscriptions/modules/userassignedidentity/main.tf @@ -9,4 +9,15 @@ resource "azurerm_role_assignment" "this" { scope = each.value.scope_id role_definition_name = each.value.role principal_id = azurerm_user_assigned_identity.userassignedidentity.principal_id -} \ No newline at end of file +} + +resource "azurerm_federated_identity_credential" "this" { + for_each = var.federated_credentials + + audience = ["api://AzureADTokenExchange"] + issuer = each.value.issuer + name = each.value.name + parent_id = azurerm_user_assigned_identity.userassignedidentity.id + resource_group_name = var.resource_group_name + subject = each.value.subject +} diff --git a/terraform/subscriptions/modules/userassignedidentity/output.tf b/terraform/subscriptions/modules/userassignedidentity/output.tf index 7ce404307..4e9c8a201 100644 --- a/terraform/subscriptions/modules/userassignedidentity/output.tf +++ b/terraform/subscriptions/modules/userassignedidentity/output.tf @@ -2,3 +2,8 @@ output "data" { description = "userassignedidentity" value = azurerm_user_assigned_identity.userassignedidentity } + +output "client-id" { + description = "userassignedidentity" + value = azurerm_user_assigned_identity.userassignedidentity.client_id +} diff --git a/terraform/subscriptions/modules/userassignedidentity/variables.tf b/terraform/subscriptions/modules/userassignedidentity/variables.tf index 7d11e7275..5e1810f3a 100644 --- a/terraform/subscriptions/modules/userassignedidentity/variables.tf +++ b/terraform/subscriptions/modules/userassignedidentity/variables.tf @@ -19,4 +19,13 @@ variable "roleassignments" { scope_id = string })) default = {} -} \ No newline at end of file +} + +variable "federated_credentials" { + type = map(object({ + name = string + issuer = string + subject = string + })) + default = {} +} diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf index c6e11f4c9..bcd3e0ddd 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/main.tf @@ -46,6 +46,34 @@ module "mssql-database" { } } +data "azurerm_container_registry" "acr" { + name = var.acr_name + resource_group_name = "common-westeurope" # TODO: Fix module.config.common_resource_group +} + +module "github-workload-id" { + source = "../../../modules/userassignedidentity" + name = "radix-id-github-vulnerability-scan-${module.config.environment}" + resource_group_name = module.resourcegroup.data.name + location = module.resourcegroup.data.location + roleassignments = { + contributor = { + role = "Contributor" # Needed to open firewall + scope_id = data.azurerm_container_registry.acr.id + }, + } + federated_credentials = { + github-release = { + name = "gh-radix-vulnerability-scan-acr-release-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + output "mi-client-id" { value = module.mssql-database.mi-admin } +output "radix-id-github-vulnerability-scan" { + value = { "client-id" = module.github-workload-id.client-id } +} diff --git a/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf b/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf index 56b4edea4..b07ee0d97 100644 --- a/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s940/c2/vulnerability-scanner/variables.tf @@ -7,3 +7,8 @@ variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" } + +variable "acr_name" { + type = string + default = "radixc2prod" +} diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf index ec7dbe761..22bf0da05 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/main.tf @@ -47,6 +47,34 @@ module "mssql-database-platform" { } } +data "azurerm_container_registry" "acr" { + name = var.acr_name + resource_group_name = "common" # TODO: Fix module.config.common_resource_group +} + +module "github-workload-id" { + source = "../../../modules/userassignedidentity" + name = "radix-id-github-vulnerability-scan-${module.config.environment}" + resource_group_name = module.resourcegroup.data.name + location = module.resourcegroup.data.location + roleassignments = { + contributor = { + role = "Contributor" # Needed to open firewall + scope_id = data.azurerm_container_registry.acr.id + }, + } + federated_credentials = { + github-release = { + name = "gh-radix-vulnerability-scan-acr-release-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + output "mi-client-id" { value = module.mssql-database-platform.mi-admin } +output "radix-id-github-vulnerability-scan" { + value = { "client-id" = module.github-workload-id.client-id } +} diff --git a/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf b/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf index 058e077ea..b723a9700 100644 --- a/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s940/prod/vulnerability-scanner/variables.tf @@ -7,3 +7,8 @@ variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" } + +variable "acr_name" { + type = string + default = "radixprod" +} diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf index 520878844..3095d4746 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/main.tf @@ -1,17 +1,14 @@ +module "config" { + source = "../../../modules/config" +} module "resourcegroup" { source = "../../../modules/resourcegroups" - name = "${var.resourse_group_name}-${module.config.environment}" + name = "vulnerability-scan-${module.config.environment}" location = module.config.location } - -module "config" { - source = "../../../modules/config" -} - -# TODO: Migrate keys to radix-keyv-dev when ready data "azurerm_key_vault" "keyvault" { - name = "radix-vault-dev" # module.config.key_vault_name - resource_group_name = "common" # module.config.common_resource_group + name = module.config.key_vault_name + resource_group_name = module.config.common_resource_group } data "azurerm_key_vault_secret" "keyvault_secrets" { @@ -50,6 +47,34 @@ module "mssql-database" { } } +data "azurerm_container_registry" "acr" { + name = var.acr_name + resource_group_name = "common" # TODO: Fix module.config.common_resource_group +} + +module "github-workload-id" { + source = "../../../modules/userassignedidentity" + name = "radix-id-github-vulnerability-scan-${module.config.environment}" + resource_group_name = module.resourcegroup.data.name + location = module.resourcegroup.data.location + roleassignments = { + contributor = { + role = "Contributor" # Needed to open firewall + scope_id = data.azurerm_container_registry.acr.id + }, + } + federated_credentials = { + github-main = { + name = "gh-radix-vulnerability-scan-acr-main-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/main" + } + } +} + output "mi-client-id" { value = module.mssql-database.mi-admin } +output "radix-id-github-vulnerability-scan" { + value = { "client-id" = module.github-workload-id.client-id } +} diff --git a/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf b/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf index be69aaf32..8ce61486b 100644 --- a/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s941/dev/vulnerability-scanner/variables.tf @@ -3,12 +3,12 @@ variable "admin-adgroup" { default = "Radix SQL server admin - dev" } -variable "resourse_group_name" { +variable "keyvault_dbadmin_secret_name" { type = string - default = "vulnerability-scan" + default = "radix-vulnerability-scan-db-admin" } -variable "keyvault_dbadmin_secret_name" { +variable "acr_name" { type = string - default = "radix-vulnerability-scan-db-admin" + default = "radixdev" } diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf index e8774ac4e..3cee166a8 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/main.tf @@ -1,4 +1,3 @@ - module "config" { source = "../../../modules/config" } @@ -7,7 +6,6 @@ module "resourcegroup" { name = "vulnerability-scan-${module.config.environment}" location = module.config.location } - data "azurerm_key_vault" "keyvault" { name = module.config.key_vault_name resource_group_name = module.config.common_resource_group @@ -21,10 +19,10 @@ data "azurerm_key_vault_secret" "keyvault_secrets" { module "mssql-database" { source = "../../../modules/mssqldatabase" env = module.config.environment - managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" - managed_identity_server_name = "radix-id-vulnerability-scan-server-${module.config.environment}" database_name = "radix-vulnerability-scan" server_name = "sql-radix-vulnerability-scan-${module.config.environment}" + managed_identity_admin_name = "radix-id-vulnerability-scan-admin-${module.config.environment}" + managed_identity_server_name = "radix-id-vulnerability-scan-server-${module.config.environment}" audit_storageaccount_name = module.config.log_storageaccount_name admin_adgroup = var.admin-adgroup administrator_login = "radix" @@ -48,6 +46,34 @@ module "mssql-database" { } } +data "azurerm_container_registry" "acr" { + name = var.acr_name + resource_group_name = "common" # TODO: Fix module.config.common_resource_group +} + +module "github-workload-id" { + source = "../../../modules/userassignedidentity" + name = "radix-id-github-vulnerability-scan-${module.config.environment}" + resource_group_name = module.resourcegroup.data.name + location = module.resourcegroup.data.location + roleassignments = { + contributor = { + role = "Contributor" # Needed to open firewall + scope_id = data.azurerm_container_registry.acr.id + }, + } + federated_credentials = { + github-release = { + name = "gh-radix-vulnerability-scan-acr-release-${module.config.environment}" + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:equinor/radix-vulnerability-scanner:ref:refs/heads/release" + } + } +} + output "mi-client-id" { value = module.mssql-database.mi-admin } +output "radix-id-github-vulnerability-scan" { + value = { "client-id" = module.github-workload-id.client-id } +} diff --git a/terraform/subscriptions/s941/playground/vulnerability-scanner/variables.tf b/terraform/subscriptions/s941/playground/vulnerability-scanner/variables.tf index e42cc4785..fae7b3be5 100644 --- a/terraform/subscriptions/s941/playground/vulnerability-scanner/variables.tf +++ b/terraform/subscriptions/s941/playground/vulnerability-scanner/variables.tf @@ -7,3 +7,8 @@ variable "keyvault_dbadmin_secret_name" { type = string default = "radix-vulnerability-scan-db-admin" } + +variable "acr_name" { + type = string + default = "radixdev" +}